Chapter 15 Further Reading

Essential References

Ethereum Foundation Blog. "Hard Fork Completed" (July 20, 2016). The official announcement of the hard fork at block 1,920,000. Primary source for the fork event.
Siegel, David. "Understanding The DAO Attack" (June 25, 2016). CoinDesk. One of the earliest comprehensive technical analyses of the exploit, written days after the attack.
Shin, Laura. The Cryptopians: Idealism, Greed, Lies, and the Making of the First Big Cryptocurrency Craze. PublicAffairs, 2022. Investigative journalism covering the DAO hack and the alleged identification of the attacker. Essential reading for the human story behind the code.
Meier, Phil. "The DAO: The Hack, The Soft Fork and The Hard Fork." Ethereum Classic documentation. Presents the Ethereum Classic perspective on the fork.

Atzei, Nicola, Massimo Bartoletti, and Tiziana Cimoli. "A Survey of Attacks on Ethereum Smart Contracts (SoK)." Principles of Security and Trust, 2017. The foundational academic survey of smart contract vulnerability classes.
SWC Registry (Smart Contract Weakness Classification). https://swcregistry.io/. A comprehensive registry of known smart contract vulnerability patterns, modeled after CWE (Common Weakness Enumeration) for traditional software. Each entry includes a description, code examples, and remediation.
Samczsun. "Taking Undercollateralized Loans for Fun and for Profit" (September 2019). Blog post by one of the most respected white-hat security researchers in DeFi, detailing oracle manipulation attacks. https://samczsun.com/
OpenZeppelin. "Reentrancy After Istanbul." Blog post analyzing how the Istanbul hard fork's gas cost changes affected reentrancy attack viability.

Qin, Kaihua, et al. "Attacking the DeFi Ecosystem with Flash Loans for Fun and Profit." Financial Cryptography, 2021. Academic analysis of flash loan attack patterns with formal models.
Rekt News. https://rekt.news/. The definitive chronicle of DeFi exploits, written with technical precision and dry humor. The "leaderboard" ranks exploits by dollar value lost. Essential reading for any DeFi security researcher.
DeFi Llama Hacks. https://defillama.com/hacks. Real-time database of DeFi exploits with categorization by attack type, chain, and amount lost.
Euler Finance. "Euler Exploit: Post-Mortem." Official post-mortem of the March 2023 exploit and fund recovery, including technical details of the vulnerability and fix.

Daian, Philip, et al. "Flash Boys 2.0: Frontrunning, Transaction Reordering, and Consensus Instability in Decentralized Exchanges." IEEE Symposium on Security and Privacy, 2020. The foundational academic paper on MEV, introducing the concept and measuring its scale.
Flashbots Research. https://writings.flashbots.net/. Research publications from Flashbots, the organization building MEV mitigation infrastructure. Covers MEV-Boost, MEV-Share, and the evolving MEV supply chain.
MEV Explore. https://explore.flashbots.net/. Dashboard visualizing MEV extraction on Ethereum in real time.

Trail of Bits. "Building Secure Smart Contracts." https://building-secure-contracts.com/. Comprehensive guide to smart contract security by one of the leading audit firms. Includes tool tutorials, vulnerability patterns, and best practices.
OpenZeppelin. "Security Audits." https://blog.openzeppelin.com/security-audits. Published audit reports for major protocols (Compound, Aave, Uniswap, and others). Studying real audit reports is one of the best ways to learn what auditors look for.
Consensys Diligence. "Ethereum Smart Contract Best Practices." https://consensys.github.io/smart-contract-best-practices/. A continuously updated guide to Solidity security patterns.
Immunefi. "Web3 Security Library." https://immunefi.com/learn/. Educational resources from the dominant Web3 bug bounty platform, including write-ups of past vulnerabilities.

Slither Documentation. https://github.com/crytic/slither. Trail of Bits' static analysis framework. The GitHub repository includes detector documentation, tutorial examples, and integration guides.
Mythril Documentation. https://mythril-classic.readthedocs.io/. Consensys' symbolic execution tool. Includes tutorials on finding common vulnerability patterns.
Echidna Documentation. https://github.com/crytic/echidna. Trail of Bits' property-based fuzzer. The repository includes example contracts and property specifications.
Certora Documentation. https://docs.certora.com/. Formal verification tool with CVL (Certora Verification Language) tutorials and case studies.

Permenev, Anton, et al. "VerX: Safety Verification of Smart Contracts." IEEE Symposium on Security and Privacy, 2020. Academic approach to automated verification of smart contract safety properties.
Bernardi, Giovanni, and Ekaterina Komendantskaya. "Formal Verification of Smart Contracts: Short Paper." ACM SIGPLAN, 2019. Overview of formal methods applied to Solidity.

SEC. "Report of Investigation Pursuant to Section 21(a) of the Securities Exchange Act of 1934: The DAO." (July 25, 2017). The SEC report that concluded DAO tokens were securities. A primary source for understanding how securities law applies to token-based governance.
Department of Justice. "Man Arrested for Exploiting Decentralized Cryptocurrency Exchange" (December 27, 2022). Press release regarding the arrest of Avraham Eisenberg for the Mango Markets exploit. Establishes legal precedent for criminal prosecution of DeFi exploits.

Ethernaut by OpenZeppelin. https://ethernaut.openzeppelin.com/. A gamified series of smart contract hacking challenges. Each level presents a vulnerable contract that you must exploit to complete. Excellent hands-on practice for the vulnerability patterns in this chapter.
Damn Vulnerable DeFi. https://www.damnvulnerabledefi.xyz/. A set of DeFi-focused security challenges covering flash loans, oracles, governance attacks, and more. More advanced than Ethernaut.
Capture the Ether. https://capturetheether.com/. Another gamified set of Solidity security challenges, covering a range of vulnerability classes.
Paradigm CTF. Past challenges from Paradigm's security CTF competition, available on GitHub. Advanced challenges that require deep protocol knowledge.

Start with the SWC Registry to understand the taxonomy of vulnerability classes.
Practice with Ethernaut (beginner) and Damn Vulnerable DeFi (intermediate) to build hands-on exploitation skills.
Read rekt.news post-mortems of real exploits to understand how vulnerabilities manifest in production.
Study published audit reports from OpenZeppelin and Trail of Bits to learn professional auditing methodology.
Learn tools by running Slither and Mythril on your own contracts and on the practice platforms.
Go deeper with formal verification (Certora) and the academic papers for mathematical rigor.